CVE-2025-37863 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: ovl: don't allow datadir only In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this. Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops. Fix by disallowing datadir without lowerdir.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/0874b629f65320778e7e3e206177770666d9db18
https://git.kernel.org/stable/c/21d2ffb0e9838a175064c22f3a9de97d1f56f27d
https://git.kernel.org/stable/c/b9e3579213ba648fa23f780e8d53e99011c62331
https://git.kernel.org/stable/c/eb3a04a8516ee9b5174379306f94279fc90424c4

History

Fri, 09 May 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ovl: don't allow datadir only In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this. Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops. Fix by disallowing datadir without lowerdir.
Title		ovl: don't allow datadir only
References		https://git.kernel.org/stable/c/0874b629f65320778e7e3e206177770666d9db18 https://git.kernel.org/stable/c/21d2ffb0e9838a175064c22f3a9de97d1f56f27d https://git.kernel.org/stable/c/b9e3579213ba648fa23f780e8d53e99011c62331 https://git.kernel.org/stable/c/eb3a04a8516ee9b5174379306f94279fc90424c4

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-05-09T06:43:54.250Z

Updated: 2025-05-09T06:43:54.250Z

Reserved: 2025-04-16T04:51:23.958Z

Link: CVE-2025-37863

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-05-09T07:16:07.317

Modified: 2025-05-09T07:16:07.317

Link: CVE-2025-37863

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-37863", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.958Z", "datePublished": "2025-05-09T06:43:54.250Z", "dateUpdated": "2025-05-09T06:43:54.250Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-09T06:43:54.250Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: don't allow datadir only\n\nIn theory overlayfs could support upper layer directly referring to a data\nlayer, but there's no current use case for this.\n\nOriginally, when data-only layers were introduced, this wasn't allowed,\nonly introduced by the \"datadir+\" feature, but without actually handling\nthis case, resulting in an Oops.\n\nFix by disallowing datadir without lowerdir."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/overlayfs/super.c"], "versions": [{"version": "cc0918b3582c98f12cfb30bf7496496d14bff3e9", "lessThan": "0874b629f65320778e7e3e206177770666d9db18", "status": "affected", "versionType": "git"}, {"version": "24e16e385f2272b1a9df51337a5c32d28a29c7ad", "lessThan": "b9e3579213ba648fa23f780e8d53e99011c62331", "status": "affected", "versionType": "git"}, {"version": "24e16e385f2272b1a9df51337a5c32d28a29c7ad", "lessThan": "21d2ffb0e9838a175064c22f3a9de97d1f56f27d", "status": "affected", "versionType": "git"}, {"version": "24e16e385f2272b1a9df51337a5c32d28a29c7ad", "lessThan": "eb3a04a8516ee9b5174379306f94279fc90424c4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/overlayfs/super.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.88", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.25", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.4", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.23", "versionEndExcluding": "6.6.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.25"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.14.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.15-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0874b629f65320778e7e3e206177770666d9db18"}, {"url": "https://git.kernel.org/stable/c/b9e3579213ba648fa23f780e8d53e99011c62331"}, {"url": "https://git.kernel.org/stable/c/21d2ffb0e9838a175064c22f3a9de97d1f56f27d"}, {"url": "https://git.kernel.org/stable/c/eb3a04a8516ee9b5174379306f94279fc90424c4"}], "title": "ovl: don't allow datadir only", "x_generator": {"engine": "bippy-1.2.0"}}}}